Measurements and Mitigation of Peer-to-peer Botnets: A Case Study on Storm Worm - PowerPoint PPT Presentation

1 / 24
About This Presentation
Title:

Measurements and Mitigation of Peer-to-peer Botnets: A Case Study on Storm Worm

Description:

Measurements and Mitigation of Peer-to-peer Botnets: A Case Study on Storm Worm Thorsten Holz, Moritz Steiner, Frederic Dahl, Ernst Biersack, Felix Freiling – PowerPoint PPT presentation

Number of Views:64
Avg rating:3.0/5.0
Slides: 25
Provided by: NateHa
Learn more at: https://eecs.ceas.uc.edu
Category:

less

Transcript and Presenter's Notes

Title: Measurements and Mitigation of Peer-to-peer Botnets: A Case Study on Storm Worm


1
  • Measurements and Mitigation of Peer-to-peer
    Botnets A Case Study on Storm Worm
  • Thorsten Holz, Moritz Steiner, Frederic Dahl,
    Ernst Biersack, Felix Freiling

2
What is a botnet?
  • A bot is a hacked computer with some remote
    control mechanism
  • A botnet is a network of these machines.
  • Typically under the control of one person or
    group.

3
How are they used?
  • Spam
  • DDOS
  • Phishing

4
How are machines compromised?
  • Worms
  • Trojans (Storm)?
  • Links to malicious sites (Storm)?

5
Tracking Botnets
  • Best technique is to use honeypots
  • A bot must contain information on how to
    bootstrap itself within the botnet.
  • Obtain information on how to connect
  • Craft a special client to do so

6
Botnet Control Mechanisms
  • IRC
  • HTTP
  • A custom method
  • P2P (the latest and greatest)?

7
Storm Botnet
  • Propagates solely through email
  • Named from the Kyrill Storm in Europe
  • At one point, responsible for 10 of all spam
  • Changes social engineering theme in emails
    frequently
  • P2P

8
Storm Botnet, cont.
  • Very sophisticated binary packer
  • Rootkit
  • Time synchronized with NTP

9
P2P Botnets
  • Storm botnet uses P2P.
  • Publish/subscribe style of communication
  • Unauthenticated

10
Publish/Subscribe
  • Information is not directly sent
  • An information provider publishes a piece of
    information, i, by using an identifier that is
    derived solely from i.
  • A consumer can subscribe to that information by
    using a filter on the identifiers
  • The identifiers are usually derived from specific
    content or a hash function
  • The P2P system matches the published items to the
    subscriptions and delivers the information

11
Storm P2P Scheme
  • Uses the Overnet DHT (Distributed Hash Table)
    Routing Protocol
  • Also starting to use Stormnet, which is encrypted
    by XORing with a 40-byte key.
  • Still unauthenticated
  • Each client generates a 128-bit ID

12
Routing Lookup
  • Uses prefix matching
  • Node a forwards a query to a node d in its
    routing table that has the smallest XOR distance
    with d.
  • XOR distance is done on the DHT ids
  • A peer stores more contacts that are closer

13
Routing Query
  • Done iteratively.
  • A node sends route requests to 3 peers, and they
    may or may not return peers that are even closer
    to the DHT ID.
  • These closer peers are then queried in the same
    manner.

14
Publishing in Depth
  • Uses a key to identify and retrieve information
  • To deal with node churn, a key is published on 20
    peers and is periodically republished.
  • Infected machines search for keys that the
    controller publishes.

15
Storm Communication
  • To find other Storm machines, a bot subscribes to
    a key based off the function of the current day
    and a random number between 0 and 31.
  • f(d, r) key

16
Storm Publish Method
  • On Overnet, the Storm bots publish information in
    the following format .mpgsize

17
Infiltrating a botnet
  • Can be dangerous
  • Craft a special P2P client
  • Goal is to defeat the control structure

18
Crawling the Botnet
  • After building a custom P2P client, they can
    crawl the botnet by using a BFS.
  • Issue route requests to find all the peers.
  • Takes 20 to 40 seconds.

19
Spying on the Botnet
  • Use a Sybil attack.
  • Introduce malicious peers to the botnet to gain
    control of parts or all of the network
  • Can monitor traffic or reroute requests to the
    wrong peers

20
Mitigation
  • When the attack wants to issue a command, he
    publishes the information on the network
  • Because the information is unauthenticated, any
    member of the p2p network can publish information
  • From this, we can publish our own information to
    try to disrupt the communication channel

21
Eclipse Attack
  • Position sybils closely around a keyword K.
  • Make the DHT IDs of the sybils close to the hash
    value of K.
  • Announce these sybils to the peers to poison the
    tables.
  • Does not completely eclipse a particular keyword.
  • Overnet uses the entire hash space for a keyword.

22
Polluting
  • Publish a very large number of files using the
    keyword K.
  • This overwrites the real content previously
    published under K.
  • Their results showed that this is very effective.

23
Pollution Results
  • As more polluted content is published, the true
    content decreases and is virtually eliminated.

24
  • QUESTIONS??????
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Measurements and Mitigation of Peer-to-peer Botnets: A Case Study on Storm Worm" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!